Unanswered legal problems with the Government’s new database of children

The Department of Education is building a database of Ireland’s children. It’s called the Primary Online Database and, currently, its intention is to collect a full profile of data on all the children in education and to store that data until they turn 30. Yes, 30.

They started last September 2014, taking data from schools directly, rather than asking parents in almost all cases. Now the department is sending home letters to parents about the database, baldly telling parents that they’re taking their child’s data.

The Department is collecting data, including sensitive data such as medical information, whether the children have psychological assessments, religious and racial characteristics on children. This is something that requires careful planning to be done correctly. As the Irish Water debacle showed, an organisation can destroy public trust by careless information governance and ill-considered data demands. And any database that contains such critically sensitive data about all the citizens and residents of the state who are under 30 needs very significant and broadly based support.

This database, if leaked or misused, would compromise the identity security of every young person in the entire country. It would provide a treasure trove for blackmailers or identity thieves. It’s precisely because this sort of data is so red-hot radioactive that the Census data- the only collection comparable to this proposed datagrab- is given special legislative protections in the Statistics Act 1993.

Regrettably, it seems the Department of Education has not learned anything from the recent past. I contacted the department on the 6th January to set out some Data Protection concerns with the database. I followed this up with more than one telephone conversation. I received no written reply by the 20th January so I then made a formal complaint to the Data Protection Commissioner.

In that complaint I made the following points;

1/ Section 2(1)(c) of the Data Protection Acts (referred to hereunder as DPA) sets out the principle that data should be obtained for “one or more specified, explicit and legitimate purposes”. Children’s data was obtained from parents by their schools for specific, legitimate, internal school purposes. The Department is seeking to take that data from the school, under threat to its continued funding, and use it for different radically different purposes, none of which were specified at the time the school obtained the child’s data, or or necessary for those internal uses. This is not legitimate.

2/ In addition, the Department’s Letter to Parents states that it is the Department’s intention to store children’s data in the Primary Online Database until they reach the age of 30.

To me, this appears to be self-evidently an excessive retention period. Data may only be stored for as long as is required for the purpose for which it is collected. (per Section 2 (1)(c)(iv) DPA)

As all the purposes of this database are related to children’s primary school experiences, retention for decades after that experience ends will be a breach of the data protection acts, and contrary to Data Protection principles.

3/ I have very significant concerns about the data relating to children proposed by the Department to be obtained, processed, shared and retained until the age of 30. The material describing the contents of the POD database sets out data which is clearly sensitive personal data per the definition at Section 1 DPA.

In particular, the data fields;

“Learning Support

Is the pupil in receipt of low incidence support through NCSE? (drop-down list)
Yes
No

Is pupil receiving support under the General Allocation Model? (drop-down list)
Yes
No

There is no way for this data to be obtained or retained in compliance with the DPA, as there is no description or limits on what notes may be added to each child’s entry into the database- whether sensitive, relevant, necessary or appropriate. Whether the data is routinely accessed by the Department is irrelevant as it is being retained by the Dept and is accessible to any departmental user with Administrator status.

Furthermore it is not unknown for children to change schools precisely to obtain a fresh start, and it is unsatisfactory that the unlimited and unmonitored notes by staff of one institution would be transferred to the new school, colouring that school’s opinion of the child before they had even started.

In the absence of such consent a child’s school would be in breach of the data protection acts were they to transfer his or her PPSN data to the Department as a new Data Controller.

5/ I note that by letter dated 15th January the Minister for Education’s private secretary wrote to parents who have complained about this database and told them that;

“If you do not consent to your child’s data being entered on POD then you should inform your school in writing that you do not wish to have your child’s information entered on POD, however from 2016/2017 this may have funding and teacher allocation implications for your school going forward”

This threat effectively negates any consent that might be given, as it is clearly represents a coercive effort to force consent in the face of the defunding of their child’s education. In addition, the threat to partially defund a school on the basis of purely automatic processing of data in a database it represents a breach ofSection 6B of the DPA,

“a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him”

To read more about how this database is being implemented in a way to undermine trust and effectiveness, take a look at data protection expert Daragh O’Brien’s two posts on the subject, here and here. Those posts give context to this ill-conceived project, by showing how and why the State consistently fails to respect citizens’ data rights.

If you agree with my points, please do contact your child’s school and let them know that you don’t give consent to your child’s data being entered onto POD, and let the Minister for Education, Jan O’Sullivan TD know your concerns about her plan by email [email protected] and/or make a complaint to the Data Protection Commissioner’s office (details here) if you have no satisfactory outcome from your contacts.

I’m noticing a long term consent issue as well. When a child turns 18, can they have their details removed from the POD? More to the point can a parent give the Department of Education permission to keep their childrens details on the POD after the child becomes an adult and therefore responsible for their own affairs?

I would also be concerned about the data being stored on the Revenue Commissioners servers. One reason being that it almost feels like the Department of Education is saying it doesn’t have to confidence to manage the database itself. Secondly, can we be sure Revenue wouldn’t use the data to help it with its own investigations?

POD indeed goes way too far. It exposes the children of this country enmass to a security risk no parent should allow.

Given serious issues in the past with the theft if Irish identities by agents involved in terrorist activities is it wise to put all of this data at the potential disposal of anyone with the desire & ability to hack into it. Are our friends in British & US security services aware of what the Irish government propose?